0

nmap offers OS-detection functionality based TCP/IP fingerprinting by sending six probing packets and analyzing their responses. In the documentation is says that some of them are send to an open port and some are sent to a closed port.

Does anyone know how nmap decides which port to send the probes to? Does it just look for the first closed port and the first open ports it can find? Does it search for them in a certain order? Or does it randomly pick a port?

arne.z
  • 357
  • 1
  • 6
  • 24

2 Answers2

1

In this case, there is no better documentation than the code itself. Nmap relies on port scan results to determine a list of open and closed ports. It is looking for three things in particular:

  1. an open TCP port
  2. a closed TCP port
  3. a closed UDP port

Generally speaking, it chooses the first of these (lowest number) that it knows of, but there are a couple of rules for things that it tries to avoid:

  • Do not use port 0. For most systems, this is not a valid port number. The chance is pretty high that if port 0 is found open, the thing using it to communicate is not the OS's native IP stack.
  • If service scan was performed, avoid ports that were labeled tcpwrapped. This can sometimes be a result of an IPS shutting down a connection, so skipping these ports helps assure that Nmap is getting an unmodified connection to the target.
bonsaiviking
  • 4,420
  • 17
  • 26
1

If I well understood, nmap tries open or closed ports only if isn't able to detect the OS via fingerprint, but the documentations doesn't explain the sequence of checked ports. I think you could discover how, tracking your own traffic during the scan.

Fabrizio Restori
  • 11
  • 3